I want to create a Spring Server and a Broswer javascript client connecting via sockjs-client. The connection should be secured via Spring Security.
I have the following dilemma:
Spring Security seems to assume that the websocket handshake happens via an authenticated http session (E.g. JSESSIONID cookie set, login happened).
sockjs-client however seems to impose the limitation on developers that no authenticated http session must be used (See https://github.com/sockjs/sockjs-client/issues/196), enforcing this any way it can.
Is my evaluation of the dilemma correct, and is there any obvious solution to implement security a spring server with websockets such that sockjs-client can securely connect?
The proposed solution of passing any authentication token in the GET /info request seem like hacks to circumvent the SockJS security restrictions, if used to create an authenticated HttpSession.
This seems to be the basis for problems for several people, such as:
- No cookies during /info request using sockjs and stomp
- Authentication model for Spring Websocket + SockJS and sending messages on per-user basis
- How to get/set the principal and session attributes from Spring 4 stomp websocket methods
- https://stackoverflow.com/questions/33156282
- Spring Websockets @SendToUser without login?
- Spring Session Basic Auth token passed as query parameter in Spring-Websocket
- Spring security websocket and HTTP authentication/authorization
- Spring Session, Websocket Security integration flow
- Spring security/Spring session/Web sockets
- Spring Boot, Websockets cannot obtain user (i.e, java.security.Principal) from Session
- Spring 4 WebSockect over STOMP Authentication
- http://sunitkatkar.blogspot.de/2014/01/spring-4-websockets-with-sockjs-stomp.html
I see 3 Alternative ways to go:
- Don't use SockJs, but native Websockets only
- use SockJS over an authenticated Http Session via the query-param Token, and sacrifice some security
- Connect via unauthenticated http connection and implement custom authentication handling for spring-websockets (maybe based on spring session)
来源:https://stackoverflow.com/questions/38662289/how-to-combine-spring-security-and-js-sockjs-client